svn commit: r366754 - head/sys/crypto/aesni

Marcin Wojtas mw at FreeBSD.org
Fri Oct 16 11:21:57 UTC 2020 

Author: mw
Date: Fri Oct 16 11:21:56 2020
New Revision: 366754
URL: https://svnweb.freebsd.org/changeset/base/366754

Log:
  Add support for ESN in AES-NI crypto driver
  
  This patch adds support for IPsec ESN (Extended Sequence Numbers) in
  encrypt and authenticate mode (eg. AES-CBC and SHA256) and combined mode
  (eg. AES-GCM).
  
  For the encrypt and authenticate mode the ESN is stored in separate
  crp_esn buffer because the high-order 32 bits of the sequence number are
  appended after the Next Header (RFC 4303).
  
  For the combined modes the high-order 32 bits of the sequence number
  [e.g.  RFC 4106, Chapter 5 AAD Construction] are part of crp_aad
  (prepared by netipsec layer in case of ESN support enabled), therefore
  non visible diff around combined modes.
  
  Submitted by:           Grzegorz Jaszczyk <jaz at semihalf.com>
                          Patryk Duda <pdk at semihalf.com>
  Reviewed by:            jhb
  Differential revision:  https://reviews.freebsd.org/D22365
  Obtained from:          Semihalf
  Sponsored by:           Stormshield

Modified:
  head/sys/crypto/aesni/aesni.c

Modified: head/sys/crypto/aesni/aesni.c
==============================================================================
--- head/sys/crypto/aesni/aesni.c	Fri Oct 16 11:18:13 2020	(r366753)
+++ head/sys/crypto/aesni/aesni.c	Fri Oct 16 11:21:56 2020	(r366754)
@@ -249,14 +249,15 @@ aesni_cipher_supported(struct aesni_softc *sc,
 	}
 }
 
+#define SUPPORTED_SES (CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD | CSP_F_ESN)
+
 static int
 aesni_probesession(device_t dev, const struct crypto_session_params *csp)
 {
 	struct aesni_softc *sc;
 
 	sc = device_get_softc(dev);
-	if ((csp->csp_flags & ~(CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD)) !=
-	    0)
+	if ((csp->csp_flags & ~(SUPPORTED_SES)) != 0)
 		return (EINVAL);
 	switch (csp->csp_mode) {
 	case CSP_MODE_DIGEST:
@@ -864,6 +865,10 @@ aesni_cipher_mac(struct aesni_session *ses, struct cry
 		else
 			crypto_apply(crp, crp->crp_payload_start,
 			    crp->crp_payload_length, ses->hash_update, &sctx);
+
+		if (csp->csp_flags & CSP_F_ESN)
+			ses->hash_update(&sctx, crp->crp_esn, 4);
+
 		ses->hash_finalize(res, &sctx);
 
 		/* Outer hash: (K ^ OPAD) || inner hash */

More information about the svn-src-all mailing list